CVE-2024-34716 – The Deceptive PNG Trap: From XSS to Remote Code Execution in PrestaShop (<=8.1.5)

The CyberSec Guru

Exploits
CVE-2024-34716

If you like this post, then please share it:

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Why your support matters: Zero paywalls: Keep the main content 100% free for learners worldwide, Writeup Access: Get complete in-depth writeup with scripts access within 12 hours of machine drop.

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

Introduction

PrestaShop is a widely used open-source e-commerce platform, allowing businesses to build and manage online stores efficiently. However, its popularity also makes it a prime target for cyber threats. A recently discovered vulnerability, CVE-2024-34716, exposes PrestaShop (<=8.1.5) to Remote Code Execution (RCE) through a chained exploitation process, starting from an XSS vulnerability in the contact form’s PNG file upload feature.

In this blog post, we’ll break down the exploit chain, how attackers can leverage it to gain control over PrestaShop servers, and, most importantly, the steps to remediate and protect your online store.

Setting Up a Vulnerability Testing Environment Using Docker

To reproduce and analyze the issue, you can set up a testing environment using Docker:

  1. Download the PrestaShop Docker Image:docker pull prestashop/prestashop
  2. Run the PrestaShop Container:docker run -ti --name prestashop-sec-ops -e PS_INSTALL_AUTO=1 -e PS_FOLDER_ADMIN=admin123 -e PS_FOLDER_INSTALL=install123 -e DB_SERVER=127.0.0.1 -e DB_PASSWD=admin456 -p 8080:80 prestashop/prestashop
  3. Official Docker Guide: Follow PrestaShop’s official Docker guide for additional configurations: PrestaShop GitHub.

Exploitation Details

Step 1: Exploiting the XSS Vulnerability

The /contact-us page in PrestaShop allows users to attach images while submitting queries to customer service. The vulnerability lies in how PNG images with embedded JavaScript/HTML get interpreted by the backend, triggering an XSS attack.

Attack Execution:

  1. Create a malicious PNG file (e.g., test.png) containing an HTML payload:<script>alert(document.domain)</script>
  2. Submit the malicious file via the Contact Us page as a registered user.
  3. Customer service agent opens the attachment, triggering the XSS payload.
  4. Attacker gains an initial foothold on the system.

Step 2: Gaining Remote Code Execution (RCE)

To escalate the attack to RCE, an attacker can use the XSS exploit to execute a Cross-Site Request Forgery (CSRF) attack against the admin panel.

  1. Extract CSRF Tokens:
    • Retrieve the CSRF token from the admin panel via a GET request.
    • Extract it from the response <input type="hidden" id="import_theme__token" name="import_theme[_token]" value="random_string_token"/>.
  2. Upload a Malicious Theme
    • Download any existing PrestaShop theme and add a reverse shell payload.
    • Example: Use PentestMonkey’s PHP Reverse Shell.
    • Add a .htaccess file to prevent directory access restrictions:<IfModule mod_authz_core.c> Require all granted </IfModule>
    • Host the malicious theme as a ZIP file on an external server.
  3. Trigger the Exploit
    • Send an automated POST request to /admin/index.php/improve/design/themes/import with the CSRF token and payload.
    • Once uploaded, access the reverse shell and execute arbitrary commands on the server.

Automating the Exploit

A weaponized proof of concept (PoC) for CVE-2024-34716 is available:

  1. Clone the PoC Repository:git clone git@github.com:aelmokhtar/CVE-2024-34716_PoC.git
  2. Modify and Serve Malicious Theme ZIP:
  3. Run the Exploit Script:pip install -r requirements.txt python CVE-2024-34716_PoC/exploit.py
  4. Gain a Reverse Shell:
    • Set up a Netcat listener: nc -lvnp <PORT>
    • Once executed, gain full command-line access to the vulnerable server.

Remediation and Security Fixes

The vulnerability is caused by insufficient input validation and improper handling of uploaded files. Here are the steps to mitigate the risk:

1. Enforce Strict MIME Type and File Extension Validation

private const allowedExtensions = [
    'txt' => 'text/plain',
    'rtf' => 'application/rtf',
    'doc' => 'application/msword',
    'docx' => 'application/msword',
    'pdf' => 'application/pdf',
    'zip' => 'multipart/x-zip',
    'png' => 'image/png',
    'jpeg' => 'image/jpeg',
    'gif' => 'image/gif',
    'jpg' => 'image/jpeg',
    'webp' => 'image/webp',
];

2. Prevent Multiple Extensions

$fileExtensions = explode('.', $fileName);
if (count($fileExtensions) > 2) {
    throw new PrestaShopException('Too many extensions for ' . $fileName);
} elseif (!array_key_exists($fileExtensions[1], self::allowedExtensions)) {
    throw new PrestaShopException('Invalid extension for ' . $fileName);
}

3. Serve Files Securely

$response = new BinaryFileResponse($this->uploadDir + $fileName);
$response->headers->set('Content-type', self::allowedExtensions[$fileExtensions[1]]);

4. Set Security Headers

  • X-Content-Type-Options: nosniff – Prevent MIME type sniffing.
  • Content-Disposition: attachment – Force file downloads instead of execution.

5. Apply Patches and Update PrestaShop

  • Upgrade to the latest PrestaShop version (>=8.1.6) to receive security patches.
  • Monitor the official security advisory for further updates: PrestaShop Security.

Conclusion

The CVE-2024-34716 vulnerability exposes PrestaShop users to severe risks, from XSS to full Remote Code Execution. By understanding the attack chain and implementing strict security controls, store owners can safeguard their platforms against exploitation. Always ensure your platform is up-to-date, enforce strict file validation, and implement security headers to prevent similar vulnerabilities in the future.

Stay secure, and keep your e-commerce store safe!

Join the Conversation

The analysis doesn't stop here. Connect with our community of tech enthusiasts and security pros for daily discussions and Q&As

Buy me A Coffee!

Support The CyberSec Guru’s Mission

🔐 Fuel the cybersecurity crusade by buying me a coffee! Your contribution powers free tutorials, hands-on labs, and security resources.

Why your support matters:
  • Writeup Access: Get complete writeup access within 12 hours
  • Zero paywalls: Keep the main content 100% free for learners worldwide

Perks for one-time supporters:
☕️ $5: Shoutout in Buy Me a Coffee
🛡️ $8: Fast-track Access to Live Webinars
💻 $10: Vote on future tutorial topics + exclusive AMA access

“Your coffee keeps the servers running and the knowledge flowing in our fight against cybercrime.”☕ Support My Work

Buy Me a Coffee Button

If you like this post, then please share it:

Photo of author
The CyberSec Guru
0
Exploits

Exploiting CVE-2024-2961: Remote File Read Vulnerability in iconv Library

Beginner’s Guide to Conquering Cat on HackTheBox

Discover more from The CyberSec Guru

Subscribe to get the latest posts sent to your email!

Related Posts

CVE-2026-48095: The 7-Zip NTFS Heap Overflow That Can Ruin Your Day – And Your Network

NGINX ‘nginx-poolslip’ Zero-Day RCE: Millions of Servers Still Exposed After Rift Patch

Critical Ollama Vulnerabilities: “Bleeding Llama” and an Unpatched Windows RCE Are Hitting 300,000 Servers

cPanel Patches Three New Vulnerabilities Enabling Code Execution and DoS – Update Your Installations

A 732-byte Python script has been giving hackers root on your Linux servers since 2017 – Here’s everything

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2026 The CyberSec Guru | All Rights Reserved

About Coffee NEWSLETTER Contact PRIVACY

Discover more from The CyberSec Guru

Subscribe now to keep reading and get access to the full archive.

Continue reading